Author Archive - Nart Villeneuve (Senior Threat Researcher)

Throughout 2012, we investigated a variety of targeted attacks including several APT campaigns such as LuckyCat and Ixeshe, as well as updates on some long running campaigns such as Lurid/Enfal and Taidoor. There was a lot of great research within the community related to targeted attacks published this year, and I’ve clustered the research I found to be the most interesting into six themes that I think also encapsulate the trends in targeted attacks of 2012:

Targets and Tools – While targeted attacks were largely equated with APT during 2011, 2012 saw the emergence of a variety of attacks especially those in the Middle East including Shamoon in Saudi Arabia, the Mahdi Campaign, GAUSS and Wiper/Flame which were all well documented by Kaspersky. There were other attacks related to the conflict in the Middle East most notably Syria and Israel and Palestine (also see Norman’s analysis here). APT activity remained a significant concern in 2012, and Dell SecureWorks published a paper on clustering various APT campaigns as well as papers on Mirage and SinDigoo that illustrated the scope of the problem. Bloomberg published a series of articles about the “Comment Crew” that detailed the breadth and impact of an APT campaign.There was also considerable activity targeting Russia, Taiwan, South Korea, Vietnam, India and Japan. In addition to expanded geographic targets, we also saw the expansion of the technologies that were targeted, including Android mobile devices and the Mac platform. Seth Hardy from the Citizen Lab gave a great presentation at SecTor that provides an overview of the various Mac related RATs (SabPub, MacControl, IMULER/Revir and Dokster) that emerged this year. And although we have seen smartcard related attacks in the past, thanks to some great analysis of Sykipot from AlienVault we saw technical details around smartcards that were deliberately targeted.

Recently, the website “Hoax Slayer” pointed us to a spammed email message that warns users of a Tsunami and encourages them to click on a link to watch a video. The article, which the cybercriminals made to look like it came from “news.com.au”, claims that experts have predicted that a Tsunami will hit Australia on New Year’s Eve.

The “watch now” link connects to {BLOCKED}be.us and downloads a file that pretends to be an AVI in a ZIP archive. In actual, “sunami_australian_agency_of_volcanology_and_seismology.avi.pif is a malicious file which Trend Micro detects as BKDR_DOKSTORMC.A.

Based on our analysis, this backdoor connects to {BLOCKED}s117.no-ip.org, which resolved to {BLOCKED}.{BLOCKED}.13.114 (but currently resolves to {BLOCKED}{BLOCKED}.116.223). It remains unclear who is behind the attack and what the motivation may be.

The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00. However, there are many forum posts complaining that the said RAT is overpriced. There are also free cracked versions available for download from a variety of sources.

Arcom RAT was reportedly authored by “princeali” who has been actively coding RATs and malware for about a decade. The alias “princeali” is connected to a group known as NuclearWinterCrew which created the infamous NuclearRAT.

We recently documented an attack that leveraged the publicly available Xtreme RAT on targets in Israel and was widely reported in the media. Our friends at Norman were able to link the attack to a yearlong campaign against both Israeli and Palestinian targets. We have found that the attacks are still on-going and that the target set is broader than previously thought.

We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel. One of the emails was sent to 294 email addresses. While the vast majority of the emails were sent to the Government of Israel at “mfa.gov.il”, “idf.gov.il,” and “mod.gov.il,” a significant amount were also sent to the U.S. Government at “state.gov” email addresses. Other U.S. government targets also included “senate.gov” and “house.gov” email addresses. The email was also sent to “usaid.gov” email addresses.

The target list also included the governments of the UK (fco.gov.uk), Turkey (mfa.gov.tr), Slovenia (gov.si), Macedonia, New Zealand, and Latvia. In addition, the BBC (bbc.co.uk) and the Office of the Quartet Representative (quartetrep.org) were also targeted.

The malware BKDR_ADDNEW, better known as “DaRK DDoSseR” in the underground, is a tool that provides distributed denial of service (DDOS) capability combined with password stealing functionality. The tool costs $30 and has been available for several years.

Recently, our friends at FireEye reported seeing computers that had been compromised by BKDR_ADDNEW and later updated with Gh0st RAT. While Gh0st RAT has been used in many targeted attacks, this threat and its many variants, are widely available to both APT actors and cybercriminals alike.

When executed, BKDR_ADDNEW connects to a TCP port (the ports used by the samples analyzed were
443, 3176 and 3085 but the default port is 3175) to receive remote commands from a malicious
operator. Some of the available commands include downloading of files, stealing Mozilla Firefox passwords, showing DNS, and sending application privileges among others. It also has the capability to launch denial of service (DOS) attacks.

Based on our investigation, BKDR_ADDNEW has built-in functionality that allows malicious actors to “update” the malware on a compromised computer.

Today’s successful targeted attacks use a combination of social engineering, malware, and backdoor activities. Though there are a variety of tools available to attackers, they tend to prefer specific ones.

While they can routinely create new malware executables with automated builders and embed them in documents designed to exploit vulnerabilities in popular office software, the traffic generated by the malware when communicating with a C&C server tends to remain consistent.

This is significant because targeted attacks are rarely a “singular set of events,” but are in fact part of ongoing campaigns. They are consistent espionage campaigns—a series of failed and successful attempts to compromise a target over time—that aim to establish a persistent and covert presence in a target network so that information can be extracted when needed.